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Electronic System Architecture 

This invention relates to an electronic system architecture and particularly to an 
electronic system architecture for a distributed domestic electronic system having a 
connection to a larger network such as a distributed domestic computer system connected to 
the Internet. 

Use of large electronic data carrying networks is steadily increasing. In general, the 
most significant and widely used network is the Internet, particularly for domestic or small 
business users. However, other networks such as corporate or government networks and 
local area networks connecting users on a single site or in a single office building do exist. 
Such private or local area networks are often themselves provided with connections into the 
Internet. 

An increasing number of services are being provided or proposed for provision 
through the Internet and other networks. Further, numerous devices intended to be controlled 
through or to report and communicate through a network, often for security or safety related 
functions, are coming onto the market. For example, the delivery of music or television 
signals to allow video on demand as an alternative to broadcast television and devices such 
as surveillance cameras or smoke alarms. 

In principle, such services can be provided through and such devices connected to 
any network, subject of course to the network performance being sufficient to meet the 
minimum requirements of a service or device. Network services can be provided through 
a satellite link such as DVB or DBS. However, in practice, most domestic users will be 
employing telecoms or cable television terrestrial links and this will also be the normal 
choice for most organisations. It is expected that the Internet will be the most common 
network choice. 

As the expense of hardware to allow Internet access in general as well as remote 
devices such as surveillance cameras and smoke alarms is reduced and as the number of 
services offered through the Internet increases there is any increasing tendency to have 
multiple Internet accessing devices within the household and this tendency is expected to 
continue for the foreseeable future. For example, a single home could have one or more 
digital televisions able to display video on demand images retrieved through a wide area 
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costly and inconvenient changes in number formats and area codes are required on a regular 
basis. 

Accordingly, it is necessary to provide electronic systems including, but not limited 
to, small computer systems and networks able to connect multiple systems within a single 
building or household to one another and provide them with access to one or more 
connections to the Internet or other larger network at an acceptable cost. 

One method of doing this is to connect all of the devices requiring Internet access 
, to one another and to a server to form a Local Area Network (LAN). The server can then act 
as a gateway to the Internet for all of the devices and control and arbitrate Internet access. 

Conventionally the electronic devices in such a LAN would employ a data bus in 
their construction and would usually be restricted to the use of one medium such as twisted 
pair wiring to interconnect the server and devices. However, there are a number of problems 
with this approach. 

Firstly, within the electronic devices, which may include but is not limited to 
computers, there are problems due to the global nature of a data bus. An electrical fault at 
any place on the bus can disrupt data propagation between any two or more communicating 
elements, possibly resulting in complete product or network failure. 

Further, scalability is not possible on bus based systems. That is, it is not possible 
to add extra performance capability in response to desired workload with a linear relationship 
between capability and workload. 

Moreover, any communication between two parties on a bus is accessible by other 
parties who are not intended recipients of the information. Consequently, the only method 
available to secure data is encryption. Even then it is not possible to prevent devices not 
intended to receive data from accessing the data, albeit possibly in encrypted form. 

This lack of security in bus based systems may not appear to be a problem in a 
single household domestic system. However, there are many cases of fraud arising from 
illicit use of credit cards or cash dispenser (ATM) cards by family members, and the risk of 
mis-use of financial data within a household is a problem with data bus networks. Another 
problem is the provision of data services such as video on demand. The suppliers of such 
data effectively broadcast encrypted video data and users pay to be allowed to decrypt it. As 
a result, the data supplier has no objection to the encrypted video data passing through a local 
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network, but would object to the decrypted video data being passed through a data bus 
because of the ease of illicit copying. Consequently there is a considerable commercial 
demand for products that inherently keep valuable data away from any means of copying it 
Further, the potential loss of privacy resulting from this lack of data security is a 

problem, even within a household. 

Finally, within either an electronic product or the network or networks to which it 
is connected, the availability of all data at all points on a data bus means that once an illicit 
.user gains access to any datafor one device on the network, most hkely by remote access to 
theserverovermetatemetoranoto 

These security problems are, of course, worse when the network is used by a small 
business or by more than one household, for example in a multiple occupancy dwelling. 

Another problem with a data bus based system is reliability. Generally, any fault 
on the data bus will disable the entire network. 

Further, in data bus based systems the overall performance of the system is limited 
bythespeedoftheslowestdevice. This is because the data transfer rate or clock rate of the 
bus cannot exceed the data transfer rate of the slowest device connected to it or reliable 
communication cannot be carried out. As aresult, improvements in the data transfer rate of 
the network can only be achieved by replacing or upgrading all devices. 

Also, data buses generate significant quantities of electromagnetic interference 

(EMI). 

Finally, data bus based networks are relatively expensive, and wide busses impose 
circuitboard,manufa^ 

devices to be networked. 

The present invention is intended to provide electronic system architectures, 
components, devices and networks overcoming these problems, at least in part 

Inafirst aspect the invention provides an electronic system architecture comprismg 
a plurality of client devices connected in a hierarchical structure where the client devices 
form nodes in the structure interconnected by communications links in which one chent 
deviceatmetopofmehierar^ 

device is connected to a single chent device through a single communications link in an 
upstream direction and each client device is connected to a number, which may be zero, of 
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client devices through the same number of communications links in a downstream direction, 
in which downstream client devices have lower bandwidth requirements than any client 
devices upstream of them and the sum of the bandwidths of the communications links from 
each client device in a downstream direction is less than the bandwidth of the 
communications links in the upstream direction and any client device able to make a 
hardware access request to a client device further in the downstream direction supports 
exception handling of the request. 

In a second aspect, this invention provides a switch suitable for use in an electronic 
system to connect a local element to first and second bi-directional communication links, the 
switch comprising first and second receiving means able to receive messages along the first 
and second communication links respectively, first and second transmitting means able to 
send messages along the first and second communication links respectively and transfer 
means to send and receive data from the local element, in which the messages include data 
identifying their intended destination, the switch further comprising a message destination 
identification means able to identify received messages having the local element as their 
intended destination and the switch being arranged to pass messages so identified to the local 
element and to re-transmit messages not so identified received at the first receiving means 
from the second transmitting means and to re-transmit those received at the second receiving 
means from the first transmitting means without passing them to the local element. 

In a third aspect, this invention provides a device having at least two 
communications sections suitable for connection to similar devices along different 
bi-directional communications links, the device having a first communications section 
arranged to respond to reception of a clock transition along a first communications link by 
transmitting a clock transition having the same polarity back along said first communications 
link and a second communications section arranged to respond to reception of a clock 
transition along a second communications link by transmitting a clock transition having the 
opposite polarity back along said second communications link. 

In a fourth aspect, this invention provides an electronic communication network 
comprising at least two devices connected by at least one bi-directional communications link 
in which an oscillating loop is formed by a first device receiving a clock transition along the 
communications link and sending a clock transition having the same polarity back along the 
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« a second device receiving . cloca transition along the 

^.oprovideacicnksignainocnnn.lda.an^erdnngn.econ^nmcadnnsnnlc. 

to a fifth aspec this invention provides an eleetronic cornmonicaoon system 
prising a, M dnee devices connected by a. ieas. two bi-direcUonal communion 
«, in whicb signals between two devices along each communications In* are 
independently encrypted. 

Embodi.entsoft^^ 
reference to the accompanying direct figures in which: 

Figurelshowsanetworkstr^ 

Figure 2 shows details of the devices making up the network of Figure 1; 
Figure 3 shows details of a switch used in the devices of Figure 2; 
Figure 4A shows a receiver section used in the switch of Figure 3; 
Figure 4B shows a transmitter section used in the switch of Figure 3; 
FiguresSAandSBareexplanatorytin^gdiagramsshowm^ 

in the network according to Figurel ; 

Figure 6 shows an encryption system suitable for use in the network; 
Figure 7 shows an improved encryption system for use in the network; 
FigureSshowsanotherimpmvedencryptionsystemforuseinthenetwork; 

Figures9Ato9Cshowme S sagefo m atsa,dcodessuitableforuseonmenetwork; 
Figure 10 is an explanatory diagram showing how clock pulse circuits are 
automatically generated between the devices of the network; 

Figure 1 1 shows examples of clock data and frame signals on the network; 
Figure 12 shows a device architecture according to the invention; 
Figure 1 3 shows an alternative device architecture according to the invention; 
Figure 14 is an explanatory diagram showing security features of the dev.ee 
architectures; 

Figra e 15 shows a processor arrangement for ose in the devtees; and 
Figure^ahowsanal^vemeaaageformatforuseinthenetwoAordevcea. 
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An electronic network according to a first aspect of the invention is shown in Figure 
1. This network can be made up of any communications, computer or other electronic 
devices and products. Although this example it is described in terms of a domestic, i.e. 
single household, connection to the Internet which is expected to be the most common and 
most commercially significant use of the invention, it will be understood that the inventive 
architecture is equally applicable to commercial use or connection to any other digital 
communications network. 

j In Figure 1 a server 1, is connected to the electronic system or architecture 

comprising a plurality of client devices 2 arranged in a hierarchical structure though a 
number of local network connections to form a local area network. 

The server 1 may be a single server or a network of separate servers forming a host 
network such as the Internet. 

The client devices 2 are arranged in a hierarchical tree structure connected by 
branches formed by the communication links of the local area network. In the hierarchical 
structure branches lower down the structure have lower bandwidth than the branches above 
them, that is the branches through which they are connected to the server 1 . Where multiple 
downstream branches and a single upstream branch are connected to a single node, the sum 
of this downstream branch bandwidths must be less than the bandwidth of the upstream 
branch. Security of data is secured from the bottom of the system upwards, as will be 
explained below. 

The client devices 2 forming the end nodes of the system are client devices 2 having 
on-board processing capability and offer user access to server facilities. The client devices 
2 forming the nodes in the structure which are not end points control the provision of 
services to the lower client devices 2. They will have on-board processing capability and 
may also themselves be client devices 2 offering user access to server facilities in their own 
right in addition to controlling the provision of services to the lower level client devices 2. 

The reduction in bandwidth for branches further away from the server 1 is necessary 
in order to prevent the bandwidth requirements for the system increasing geometrically as 
it increases in size and to ensure that a lower level client device 2 cannot swamp a higher 
level client device 2 by demanding more bandwidth, that is a higher data transfer rate, that 
the higher level client device 2 can support. 
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One reason for employing a multiprocessor system comprising a plurality of 
differentchentdevi^ 

requisite computing capability where it is most needed and to provide the appropnate 
electronics for a given function in the most economic and effective location to provide sard 
function in a reliable and maintainable fashion. 

Another reason for employing a multi processor system comprising a plurality of 
separate client devices 2 is to allow data to be kept secure. This data security may be 
necessary to ensure authorised control, financially reliable e-commerce or simply pnvacy. 
Forexample,anapphc^ 
besuscepubletoextemalat^^ 

in a separate unit will enhance the security of the e-commerce functions and improve the 
predictable quality of service that can be obtained when using the smart card. 

In order to provide the desired data security the inventive electronic system 
architecture supports hierarchical data structures. Access to a specific client device 2 is 
controlledbythatclientdevice2alone. Higher level data users, that is the server 1 andchent 

d evices2situatedbetw^^^^ 

le vel client devices 2 for their data and be able to authenticate these requests. Of course, 
client devices2whichdonothavearequirement to safeguard data, may freely pass requests 
andresponsesthroughthemselves or respond torequests for any unprotected data they hold 
without requiring any authentication. 

Access revests from higher level client devices 2 to lower level client devrces 2 
may be made hy hardware or software. If a higher level die* device 2 is able ,0 make a 
hardwareaceesarequestofalower level clic n .device2misbard TO reacoes S r« q ucs.maybe 
permitted to pass through any intermedin client devices 2 unmodified. If fire hardware 
access revues, is blocked, fire intermedia* level client dev*e 2 will attempt to make the 

,„ be transparent so that hardware and software access requests appear fire same to the 
originating client devfce 2, the intermediate client device 2 will neefi to be p^vidrf win, 

tocuryon. an aceess request in place of an aborted hamware access repeat It ts 
undesimbletodemandmeuaeofexcopfionpmeesatogelementaatainevelainttreeompn^ 
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system due to the resulting increase in cost. However, any client device 2 which does not 
support exception processing must either be an end point in the hierarchical system or be a 
client device 2 which never makes or passes hardware access requests to lower level client 
devices 2. 

An example of this requirement would be a set top box able to retrieve digital video 
signals from the Internet for display on a digital television. The set top box will itself be a 
client device 2 connected to the Internet in the form of an Internet server 1 through one or 
more other client devices 2 and is controlled by an infrared remote control equipped with an 
integral smart card interface. In order to operate the remote control it is necessary to plug 
in the user identifying smart card. When the smart card is in place the remote control can 
instruct the set box to allow pay-per-view, video on demand or similar restricted access 
digital video signals to be displayed on the television. 

Clearly, although both the set top box and the remote control are client devices 2 
the set top box cannot make a hardware access to the smart card and must rely on a software 
protocol over the infrared link. As a result, the processor in the set top box does not need to 
support exception processing even though the remote control is a lower level device than the 
set top box in the network. 

Each client device 2 forming a node in the electronic network according to the first 
aspect of the invention is an active information processing device able to manipulate data 
passing through it. Or, more precisely each client device 2 can manipulate the data it 
receives and can selectively re-send this data. A minimum amount of processing would be 
nil, that is what comes into a node goes out. Alternatively, very little of the original 
information received by a client device 2 forming the node may be passed on. At one 
extreme, a particular client device 2 may even send on none of the data received, instead it 
may respond to the received data by sending on a different message containing different data 
which is however related to or derived from the received data. 

The highest upstream client device 2 nearest to the server 1 will provide a gateway 
to the server and will control and arbitrate server access for the entire network. This gateway 
client device 2 will normally have to support different communications protocols on the 
network and for communications with the server, although the protocols could be the same. 
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The passing of data through the client devices 2 forming nodes in the network 
allows hierarchical security to be implemented by client devices 2 at nodes higher up the 
network controlling provision of services to lower components while client devices forming 
nodes lower down the network control end user authentication. Thus, essentially, the higher 
nodes facilitate server side security while the lower nodes facilitate client side security. 

Because the individual communications links between pairs of nodes can be 
physically separate and client devices 2 forming the nodes can selectively pass on received 
.data to the next node or block it, data security on the network can be greatly improved 
because data is made available only to client devices 2 requiring the data and those client 
devices 2 forming part of the data path along which the data travels. Thus, the security 
feature of data only being physically accessible at particular points in the network can be 
used to provide an additional level of security over and above that provided by encryption 
alone. Further, because the data carried out between different pairs of client devices 2 and 
differentnodescanbemade not just logicallybutalsophysically distinct, failure of a single 
communications link or client device 2 will not necessarily disable the entire system. The 
extent to which the system will continue to function after a failure is of course dependent 
upon the size, structure and function of the network, the function of the individual chent 
devices 2 making it up and the type and location of failure, so it cannot be guaranteed that 
all systems would in practice be able to continue partial functioning following all possible 
failures. However, me possibility ofpartial functioning following a failure exis^ 
according to the invention in a way which cannot be provided in data bus based networks. 

A generic client device 2 is shown in Figure 2. It will be understood that tins 
illustration is intended only as an explanatory diagram to explain the functions of a generic 
client device 2 and is not intended to imply any particular component arrangement or 

physical structure. 

Forillustouon.aseriesofcl^^ 
a top node M and bottom node 0 and the client device 2 forming intermediate node N+l is 
shownmdetail. Thenetworks^^ 

nas been selected for clarity and it will be understood that other network structures are 
possible. 
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The client device 2 comprises three main components, a local switch 3, a local 
processing section 4 and a local data input and output section 5. 

In operation data is passed up and down between the client devices 2 situated at the 
chain of nodes forming the network. At each node information is sent or received up or 
down the chain through the local switch 3 of the client device 2. In each client device 2 the 
switch 3 operates under the control of the client device 2 only. Data being passed through 
the network is directed to a specific destination and this destination may be defined logically 
or physically. All client devices 2 making up all nodes are able to receive data and those 
client devices 2 which are not end points of the network are able to pass data on. In principle 
the client device 2 at any node may initiate an information transaction by sending data to 
another client device 2 at another node. However, it is possible that some client devices may 
not do this in practice because their function only requires them to receive data and not 
initiate information transactions. 

The switch 3 in each client device 2 can be as complex as required by the specific 
application. However, the minimum functionality of the switch 3 is that it must remove all 
received messages destined for its local client device 2 from the incoming data stream and 
pass on in the same direction along the network chain received messages destined for client 
devices 2 other than the local one. 

It might appear that this functionality conflicts with the comments above that a 
particular client device might not pass on data in the received form but might instead send 
on entirely new data in response to receiving original data in response to receiving the 
original data. In terms of the switch functionality described above the original data would 
be regarded as a messages destined for the local node which would then initiate sending of 
the a new message carrying the new data. 

As explained above, the switch 3 forwards messages destined for other client 
devices 2 along the chain and extracts the received message destined for the local client 
device 2 from the stream of messages passing along the network. These messages destined 
for the local client devices 2 are passed to the local processing section 4. 

The local processing section 4 processes the received data as required. When 
necessary, the local processing section 4 passes data or instructions to a local input/output 
section 5 which can be a data display device or some equipment under the control of or 
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porting to the local processing section 4 or an interface to some external equipment under 
the control of or reporting to the client device 2. Similarly, the local input/output secUon 5 
can send data as necessary to the local processing section 4. The local processing sect,on 4 
processes this data and as determined by data received from the switch 3 and local 
input/output sectionSand any omer factors such as current time me local processmgsecUon 
prepares messages to other cUent devices 2 and sends them to the switch 3 to be sent out 

through the network. 

taprincipleacUentdcvicecomprisingoriyaswitehJandlocalpn.cesstagsecOon 

' 4 or only a switch 3 and looal proving section 5 would be possible although to practice 
there are very few circumstances under wbieh a elien. device ab!e to receive, process and 
send data only upon toe network and having no local input and output function would be 
useful Similarly.sltooughaclien.deviceable.otopntlc^al.ygenen^dautdhec.lyonw 
to ne b votaorou,u.dau.nomtoenemo*diree,lyispossibleitwi.lnonna.lybetoec^ 

will be necessary. 

AUhough toe section 5 is described as toe local data input and output sechon 5 u, 
p^ceunsnugh.msomeappucarionsbedaraouvu.onlyordautapu.only.msw,^ 

3 is normally able to support a full duplex operation. 

A switch 3 is shown in detail in Fignre 3. The switch 3 comprises wo separate 

b.ockear^vesmessageaftnmto.neain^upsheamand^^nK^estotoe^ 

6b receives data torn thenexf nod. downstream and sends da*. o toe next node upsttean. 

The switch blocks 6 are interconnected by a link 7 to provide a data path for 
ecknowfedgementsofreceivedmessagesandeachswi^blockdiscnnne^edtosendou, 

received data from toe local processor 4 along lines 8. 

Otoer than the link 7 to allow toe automatic generation of acknowledgements of 
received messages and notification of recnip. or acknowledgements there is no otoer three, 
connection between *= upstream and downstream switch blocks 6a and 6b. 
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Each switch block 6 contains a receiver (input) section 9 and a transmitter (output) 
section 10 which operate under the control of a synchronising finite state machine forming 
part of the switch block 6. 

Suitable examples of receiver and transmitter structures are shown in Figures 4a and 
4b, in which Figure 4a shows the receiver structure while Figure 4b shows the transmitter 
structure. 

The receiver section 9 receives messages only from the transmitter section 1 0 of a 
j switch block 6 of a client device 2 forming an adjacent node, although the actual data carried 
by the message may have originated anywhere in the network. 

Each message includes a message type and routing information section identifying 
the originating client device 2 and destination client device 2, the type of message and the 
amount of data carried and usually a data payload section made up of the data carried by the 
message. However, some types of messages, particularly acknowledgements of receipt of 
earlier messages, may just be identified as such by the message type and routing information 
section and carry no payload data. 

Each message is received along the input data path by a synchroniser element 1 1 
and then passed to a message type and routing element 1 2 which examines the message type 
data carried by the message to see what type of message it is. If the message is an 
acknowledgement that a message has been received, this information is passed to a finite 
state machine 17 which notifies the other switch block 6 of the local switch 3 that the 
notification has been received over the link 7, so that the other switch block 6 knows that its 
opposed input section is ready to receive the next message. The input section 9 then awaits 
the next message. 

If the message is not identified as an acknowledgement by the message type and 
routing element 12, the message type and routing element 12 extracts the route identification 
information carried by the message, that is the local circuit number of the client device 2 for 
which the message is intended, and passes it to a route comparator 13. The route comparator 
13 compares the destination circuit number extracted from the message with the local circuit 
number held in a local circuit number store 14. If the route comparator 13 identifies the 
circuit numbers as being identical message type and routing element 12 passes the relevant 
parts of the message type and routing information to the host IF element 16 and the message 
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payload element 1 5 passes the data content of the message to the host IF element 1 6. The 
host IF element 1 6 sends this data to the other parts of the client machine 2. That js, this data 
is sent to the local processing section 4 and/or the local input and output secUon 5. 

Altematively.if the two items of route information are not identical the message is 

passed to the transmitter section 10. 

to either case, once the message has heen sent either to the transmitter sectton 10 

or ,„ the other pans of the local client device 2 the tfaK machine 17 of the receiver section 
. 9 tasttuc* the other switch Mock 6 of the local switch 3 to send an acknowledgement of 
^p,n=sponseoni b behalfback to toclien<device2a,mead j ac CT «node^mwtochd.e 

.nessage was received. This acknowledgement informs the sending client device 2 thattoe 

receiver section 9 is ready to receive the next message. 

The transmitter sectton 10 can receive messages for transmission hoth from the 
recover section 9 fotming patt of the same switch b.ock 6 or from other pans of the local 
client devico 2 and can be instructed to serf acknowledgement of recoip. messages by the 
recover section 9 of .he other switch block 6 of the local switch 3. Since the transmttter 
secttonlOcanonlysendonemesangeatattmethesmemachinemnstartitt^be^een^ 

toe message sources and some means of temporarily storing or buffering messages for 
.ending must be provided. Further, since the operation of the receiver sectton 9 and 
^t^^on.O.f.sn^esw^biockd^notsynchrt.ni^andn^beop^ 

„ different clock rates, that is the rare at which data is received a. and ttansmttted tton, a 
stogie switch block 6 may be different, and the lengto of the received and ttansmttted or 

,„e receiver section 9 and transmitter sectton 10. The necossao, buffer may be locally 

to .tos example the transmit host W section 17 which receives data from other parts of toe 
l0C a 1 cl to tdev i ce2incort»ra K s»ttan S m i .btt fi er and anotherbuffer is located wttiun.be 
«** block 6 between the receiver sectton 9 and transmitter section 10, bu, tins ts no, 

shown in the figures. 

Whenamessageis,obesen.ti.eda B ti»becarriedis P assednomtt,ebufferortt,e 

„„, V M «o a payload store 18. The dato is then passeti to a message W e and routtng 
g «nemtorl9which generates the appropriate message W e fronting tnformatton part of 
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the message based on data provided by the host IF 17 or simply checks and repeats the 
message type and routing information already incoiporated into the received message. When 
the message originates from the local client machine 2 the local circuit number identifying 
the originating client device 2 is provided to the message type and routing generator 19 by 
a local circuit number store 20. 

In response to an instruction from the receiver section 9 of the other switch block 
6 of the local switch 3 to send an acknowledgement of receipt message, the message type and 
. routing generator 1 9 generates a message type and routing information part of the message 
identifying it as an acknowledgement. There is no data payload to be earned by such a 
message. 

Finally, when the ready status of the appropriate receiver section 9 of the client 
machine 2 at the adjacent node is confirmed, the assembled message is sent along the 
communications link to that client machine 2 through a transmit synchroniser 21. 

In the above discussion the receiver section 9 and transmitter section 10 are both 
shown as being controlled by a synchronising finite state machine. There may be a separate 
controlling finite state machine for the transmitter section 9 and receiver section 10 or there 
may be a single synchronising finite state machine controlling the entire switch block 6. 
Similarly, separate local circuit number memories 14 and 20 are shown for the receiver 
section 9 and transmitter section 10. Clearly, these could be replaced by a single common 
local circuit number memory. 

As explained above, the transmitter section 1 0 can transmit messages both from the 
receiver section 9 of the same switch block 6 or from other parts of the local client device 
2 or acknowledgements as instructed by the receiver section 9 of the other switch block 6 of 
the local switch 3, but can only send one message at a time so that the finite state machine 
must arbitrate between the three message sources. In order to avoid degrading the perceived 
bandwidth and latency of the network, acknowledgements will take priority followed by 
messages passed to the transmitter section 10 from the receiver section 9 of the same switch 
block 6. 

For clarity, the above description has assumed that each local client device 2 has a 
single local circuit number associated with it. It would of course be possible for a local client 
device 2 to be assigned multiple local circuit numbers. 
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to corona! bus based systems a signal sent onto the bus is received a, d 
a e viceseonneo.edmmebuseffee«ve,ysuuu ta ^^^^^ 

option -ha, signals placed on me bus are pmpagat* ,o « poin* on *.J- 

w^^««-<.^^— ~^^"^*Z 

^^bee^of^^e^.br^e.ec.nea.signa.a^r^^P^^ 

are available everywhere simultaneously on the bus. 

to contrast, d. electa n«wom aeeordtog to the invention is an asynehronous 

1 time deuy being multiples of me time taken to tmnsmi, me message Horn one ebent 
deviee2Wthe n extelientdeviee2attheadjac<mtnode. 

Mmusu^veex^leiasb^toHguresSaandSb^ebsnowmeaamesnuple 

linear group of nodes shown in Figure 2. 

mnodeNisillusnuted. At time t=0 a message is sent from node N+l to node N. 

receive another message. 

A more eomplex example is sbown to Figure 5b in vdueh a message . » 
^u^Ma.metopofmenemom.onodeOa.mebotiomofmenemrork.A.bme^O 

TmCei senlJmuodeMtonodeN... Then, attimet-1 node N+ > aoknoWedges 

Jk - ~ a,ti,ough ^^3^ 
acknowledgementareidentifiedasbemgatmuesPlar.dt-arespeetrvey 

1 no. synchronous and ean oecur a, different times, i, is possible «- *r «£- 

m<Kt hoth wait for completion of sending of any message abeady ^ 

Z « an acknowledgement is sen, back ,0 node N + » by node N and a. time M me 
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message is copied to node 0. Finally, at time t=5 node 0 sends an acknowledgement of 
receipt of the message to node N. 

No acknowledgement that the message has been successfully received at node 0 is 
passed to node M. Only successful receipt at the next node is acknowledged at each step of 
the message journey. In order to minimise the amount of system bandwidth used the 
acknowledgement is a simple last message received acknowledge which does not contain any 
data identifying the original message or its content or any original message route data. The 
acknowledgement is always an acknowledgement of receipt of the last message sent in the 
opposite direction, so there is no need to include this data in the acknowledgement message. 

The switch block architecture described above is a minimal implementation having 
only a single buffer between the transmit and receive sections. Once a received message has 
been passed from the receiver section 9 to the transmitter section 10 the receiver section 9 
can begin receiving a second message, so that the switch block 6 as a whole is effectively 
double buffered. 

One disadvantage of this minimalist switch block architecture is that where a series 
of messages are to be passed through the node, the rate at which incoming messages can be 
received is limited to the rate at which outgoing messages can be transmitted because a 
received message cannot be transferred to the buffer to allow the next message to be received 
until the message previously transferred to the buffer has been transmitted. This problem can 
be overcome by use of a more complex architecture by increasing the size of the buffer to 
allow multiple messages to be held, allowing the switch block 6 to act as a speed matching 
element. Such an enlarged buffer able to hold multiple messages must be a first in first out 
(FIFO) type memory to keep message order passing through a node constant, but there is no 
limit to how many messages the FIFO buffer can hold, that is the FIFO buffer can be 
arbitrarily deep as required to allow smooth data flow and is only limited by cost. 

The network architecture described above provides a basic level of security for data 
within the system because messages sent to a client device 2 at a particular node are extracted 
from the signal flow along the network by the local switch 3 and so are not available or 
accessible to client devices 2 at nodes further along the network. Further, messages sent 
through a client device 2 at a particular node to a client device at another node are passed 
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tooughthelocalswitchSofthemtenaediatecli^ 

local processing section 4 of the intermediate client device 2. 

TOsbasic level ofseourity is of course vulnerable. Normally, it would be poss^le 

for a user of a client device to use the local processing section 4 to gain access to messages 
passingthroughthelocalswitchatootherclient devices 2, but casual eavesdropping would 
be prevented. Also, anyone with physical access to the system could use instruments such 
as a logic state analyser to record transactions along a data path and an unauthorised node 

comdbemeninsertedmtomeda^ 
; tocarryoutsomeformofattackonmenetwork'sdataintegrity. However, such an attack ,s 

dependent upon having physical access to the system. 

Better data security can be obtained by encrypting the messages sent along the 
individual data links between pairs of connected nodes. 

A first method of doing this is shown in Figure 6, in which each of the recovers 9 
and transmitters 1 0 making up the switch blocks 6 of a local switch 3 is provided with a 
programmable exclusive OR element 33 which applies a logical exclusive OR function to 
each message after reception by the receiver section 9 or before transmission by the 

transmitter section 10. 

The exclusive OR taction applied by the programmable exclusive OR elements 
33 in each local switch 3 takes the form of an exclusive OR mask controlled by the local 

processing section 4. 

The exclusive OR mask encodes the entire transmitted message so that as well as 
^acma.daucarriedbymemessagememessageheaderandrouttnginformadonsuchas 

fcerecipientvimalcircui,^^ n A 

TheexolusiveORma S kappliedbymeexclusiveOReleme„tt l 33maybemod,ned 

to change the exclusive OR mask. 

Such a system will render attacks on the system using a logic attde analyser 
worthless because it will no, be possible to identify what messages mean and even .f a. 
attempt is made to deduce the exclusive OR mask used this shouid be defeat by the 
periodic changes. 
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When changing the exclusive OR masks, this can either be done by instructing all 
client devices 2 to change into the new exclusive OR mask at a set future time or by 
propagating a mask change message through the network so that each client machine 2 in 
turn receives the mask change message telling it to apply the new exclusive OR mask to all 
future messages and to re-send the mask change message to the next client device 2 at the 
next node. Either approach should be effective, although the asynchronous nature of the 
system and the fact that the switch blocks 6 operating in opposite directions in the same 
switch 3 and the receive and transmit sections 9 and 10 of each switch blocks 6 are not 
synchronised will require some protocol to be applied to deal with messages being 
transmitted or received when instructions to change the exclusive OR mask are received or 
are due to be executed. 

The messages encrypted by the exclusive OR mask are identical in size to the 
original messages before encryption and accordingly this encryption method does not impose 
any band width penalty on system performance. 

An improved level of security can be provided by the incorporation of an auxiliary 
security processor within each local switch 3. 

Referring to Figure 7 a local switch section 3 is shown comprising two switch 
blocks 6a and 6b operating on the downstream and upstream data paths though the switch 
3 respectively. The local switch 3 also includes an auxiliary security processor 34. 

The auxiliary security processor 34 sets the exclusive OR masks applied by the 
exclusive OR elements 33 instead of the exclusive OR masks being set by the local 
processing section 4 as in the system without the auxiliary security processor 34 described 
above. 

In operation, the auxiliary security processors 34 in the opposed local switches 3 in 
client devices 2 in adjacent nodes communicate with one another exchanging public 
encryption keys. The auxiliary security processors 34 then use these public keys to encrypt 
and issue exclusive OR masks to each other which are applied to the messages sent between 
them. This communication and exchange of public keys is carried out by injecting additional 
messages into the message stream along the communications link between the two nodes. 
This will require additional received message routing and processing and transmit message 
arbitration by the receiver sections 9 and transmitter sections 10 since the system will now 
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as „e!l a, messages «o and from to local processurg sections 4 and messages to bo passed 
on along the network to other nodes and acknowledgements. 

The exchange of poblic keys and setting of exclusive OR masks is csrried on. 
separate., by esch auxffiary security processor 34 for messages to and from to next node 
apaream and to and from to next node downstream so to, to upsfream messages and 

A, intervals, each auxiliary security pressor 34 will re-es»blish cnmrnunicahon 
" ^ to auxiliary security processors 34 in adjacent nodes and in a synchronised manner 
mey will ehange to exclusive OR masks. Using tins sysfcm it is only nec«sary tot to 

^edbeingtimebased toy could aUo he changed independen tl yb=se4 on to number 
of messa g esexchang«da>ongeachcommuni eations link or baaed on some enrbmstion of 

these two criteria. 

Itis— ^ent.^ytosam.exchasiveORn^mbomm^ 

onauygivenconurrunieationstinkbe^eennodes. However, mis is not essentia!. Ittsonly 
e^Lto.tosameexc.usiveORmaskbeused.oen^tanddecn.tme.sngesnron 

directionaiongeachcomnrunicutionslmks. The exclusive OR mask used tn to recetv. 
stt tion 9 o, to downsuw switch b,ock 6a and exchrsive OR mask eutp oyed m , to 
^^sectitm.Ooftoup^swi^b.oek^bmagiven^sw.^Jn^n^^^ 
^^e.SimiWy.toi.^sa.whiohu.eseexciusiveORn^-ohnng^^ 

u • -^iffeentmasltsineachdirectionontosameconimurncatrons 
different. However, having different masks in eac H v each 

« will effectively doub.e to amount of processmg which - be carrttd on, by each 
M securi* processor 34 and double to amount of messages which must be sen, o 
eonno, to encryption Accordingly, to use ofto same masks in eschdneCon on each 

communications link may be preferred. 

Tie « of to same or different enoyption masks rn esch direcrion on each 
eommumcations link are ermaUy vatid and which is used is a maher of designer or user 
choice. 
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One advantage of this system is that the encryption process is carried out entirely 
by the auxiliary security processors 34 contained within each local switch 3 so that the local 
processing sections 4 and any related applications do not have control over or have access 
to the mask generation and encryption process. This increases the security of the encryption 
because a user cannot access any data regarding the encryption masks used from an 
application at a client device 2. Further, even if the local switch 3 of a client device 2 is 
physically accessed, only the encryption masks used for messages passing to and from that 
■ local switch 3 are compromised, and these messages are available at the local switch 3 
anyway. 

Another advantage is that the actual mask generation and encryption by the 
auxiliary security processor 34 does not have to be carried out in real time. That is, the mask 
generation and encryption can be carried out by the auxiliary security processor 34 out of 
band while the rest of the local switch 3 is sending and receiving messages using the already 
set exclusive OR masks. As a result, the time taken to carry out the mask generation and 
encryption process is not critical so that the auxiliary security processor 34 can be simple, 
small and cheap microprocessors, enabling them to be incorporated into the local switch 
elements 3 with only a marginal effect on costs. The auxiliary security processor 34 could 
be embedded in macro cells within the local switch elements 3. 

In the above examples the auxiliary security processors 34 are shown as a single 
unit connected to both of the switch blocks 6a and 6b of a local switch 3. It would of course 
be possible to employ separate auxiliary security processors within each security block 6a 
and 6b but the two auxiliary security processors will have to be in contact with one another 
to properly control the encryption process. 

This arrangement ensures that any attempt to compromise the system and extract 
data would have access to only a part of the data carried on the network for a relatively short 
period of time. 

When the network is first switched on, or after a network wide system reset, the 
auxiliary security processors 34 will exchange public keys and set the exclusive OR 
encryption masks before allowing any other messages to be sent. 

A method of further enhancing the security provided by the auxiliary security 
processors 34 is to incorporate smart card user authentication into the local switches 3. 
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AnexampleisshownmFig^ 
to the auxiliaiy security processor 34 is incorporated into the local switch 3. 

insertionofthesmartcardinto the socket 35 acts as user authentication and enables 
the auxiliary security processor 34 to begin operation. Further, the smart card 35 proves 
a seed or seeds for the exclusive OR encryption masks used. 

When a smart card is not present in the smart card socket 35 the local switch 3 xs 

m practice to also include connections from the smart card socket 35 to other parts of the 
in the socket 35. 

Further, even if a physically compatible smart card is connected to the smart card 
socket 35, if das smart eard is no, a correct smart card, for example if it is valid only unbl 
.givenda^whiehhaspassed.itwillnotoeaMemprovideanexelnsiveORmaskseedu. 

a result, the auxiliary security processor 34 will be unable «o set effective exctasrve OR 

— --«-»-*--"* , ■ 4 *' 1- ■ ,,-, 
3 will again be unable to function. 

As explained above, even wHhou. the use of an auxiliary security processor 34 ore 
m emod operation of me network architect according ,o me invention provides some 
security. Whether me improved enerypdon based security options as described above are 
osodornot will, Ukemost security decisions, be a trade offbetween me importance placed 

on security and costs. 

Uuseraumenticanngsmartcardsaretobeemployedmeycanbeusedfor one, some 

. aU local switches 3 in me nerwork depending upon me degree of security requrren. In 
some verymghsecuriryapphcationsUmaybeappropriatemempioysmartoarfs former 

authentication at at. local switches 3 while in leas security critical applied ,< may be 
sufficient to empioy smart card user authentication on,y a. me gamway client dev.ee 2 
oomrootingtothemternetor me gateway cUentdeviee 2 containing and genemtingthe most 
security critical data. 
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It will be understood that the above described security features are a function of the 
network hardware and software itself and are entirely independent of and transparent to 
applications employing and operating over the network. Any application based security 
features such as data encryption by the applications are entirely independent of the security 
features described above. 

The use of exclusive OR masks is advantageous because is imposes little extra delay 
on message transmission and reception, does not increase message size and can be simply 
. and cheaply implemented. However, alternative encryption masks or arrangements could 
be used. 

One example of a message format and codes suitable for use in a system of this type 
will now be described. 

As shown in Figure 9a the message format has a message type and routing section 
comprising a 2 bit message type code, 2 bit data size code, and 6 bit destination and source 
identifiers. The message format may also have a data section comprising a 32 or 128 bit data 
payload. 

This arrangement simplifies the logic employed in the finite state machines of the 
switch blocks 6 as the bit counter and early termination can be processed during the 
following field. 

Use of the 6 bit source and destination code in the example would limit the network 
to 64 client devices at 64 nodes. This is considered to be adequate for most domestic 
systems. However, this is purely an example and more destination and source identifier bits 
could be made available as required. 

The message type codes are shown in Figure 9B and these identify the message as 
being an acknowledgement of the last message sent or the security level of the message. In 
this example, level 1 messages are non-secure messages between processing elements at the 
nodes. Each node may only send data request messages or responses to earlier requests in 
this format and may only receive requests for data or return information in response to an 
earlier request. Message passing of this type is normally used to report interrupt requests and 
carry network protocols. 

Messages including data being sent to and from the applications of the client devices 
2 rather than to and from the switches 3 themselves are also regarded as level 1 messages. 
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Level 2 messages are pre-encoded messages between application processors to set 
up inter-node encryption masks and are essentially special purpose level 1 messages. 

Level 3 and 4 messages are used for communication between the auxiliary secunty 

processors 34 at different nodes. 

Acknowledgementmessages^ 

as such by the message type code. 

The data size codes are shown in Hgure 9c and these indicate whether the message 
includes zero data, one word (32 bits) of data or four words (128 bits) of data asapayload. 
Normally, only acknowledgements will have a zero data content. 

AsmdicatedmFigures4aand4b^ 
carries data, clock and frame signals. 

The data signal is of course the actual data making up the messages earned on the 

network as explained above. 

The clock signal is required to ensure to. to opposed rnmsmWer and reeerver 
seai ona 9 and 10 in to switches 3 a. each end of each communions link in to system 
ares e„d to gandreceiv i n g daaa.tosamera K ino«^ 

Conventionally, n«works opera* with a common clock signal tooughou, to 
^ork with any differences being due ,0 propaganon delays only and indeed suoh a 
common clock arrangement is mandatory in a dambus type system. 

totomvenuveelecwmcne^orkarcWt^ 
pairs 9 and ,0 in to switches 3 of adjacent nodes are connect so as to form an 

and receive* and to da* link between torn. This logic loop is shown diagmmmahcally 
in Figure 10. 

A c.ocks a urs^nouisgenem.e4tato^«u.gsecnon9oftoupsnea» 
^ m ,0 of to Ml switch 3b a, to dovmaream node. The Cook fuosrhon . .ton 

teU ps^.oomswi tt h3awherei,ispa^baok to toh^mngaeonon9andre.se«. 
This provides a loop with a gain of -1. 



BNSOOCIDt <WO_000»«5A2J_> 



WO00/0234S PCT/GB99/02125 

25 

If the total delay around the loop is regarded as 6Tu plus 6Td, where 6Tu is the 
delay passing through the upstream local switch 3a and 6Td is the delay passing through the 
downstream local switch 3b the clock pulse loop will resonate at a frequency having a period 
of approximately 2 (5Tu + 6Td). 

In the system it is a requirement that the delay in either node, that is 6Tu and 6Td 
are sufficient for a transmitter section to send a bit from its output register or for a receiver 
to correctly receive and store an incoming bit. 

In the loop the inverter gives a 1 80° phase shift and the rest of the phase shift at the 
loop resonating frequency is provided by the various delays to the signal going around the 
loop. 

This allows the clock signal used on each data link in the network to be 
automatically set to the optimum value for the quickest data transfer allowed by the 
electronics in the opposed local switches 3, the length of the communications link and 
ambient temperature. 

The switches 3 are arranged so that when their upstream or downstream sections are 
not connected to another switch 3 through a communications link, an unconnected 
downstream transmitting port is held at a clock logic level of one while an unconnected 
upstream receiving section is held at a clock logic level of zero. 

When the unconnected upstream and downstream sections of two powered switched 
are connected in opposition through a communi cations link, the logical one produced by the 
downstream transmitting section of the upstream switch 3 overrides the logical zero on the 
upstream receiving section of the downstream switch 3. This change appears to the 
downstream switch as a clock status transition so that the loop begins oscillating as set out 
above. 

This provides the advantage that new client devices can be connected to the system 
in operation and a clock signal enabling communication with the new client device will 
automatically be generated. Further, when a client device is not connected the unconnected 
ports are held at a constant voltage level with no A.C. activity and so will not generate any 
electromagnetic interference. 

Systems enabling automatic connection of new elements to an operating system, so 
called hot plugging, exist, but known systems of this type require the continuous 
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t0 connection of a new device ,o be de,ec,ed. As a resuU, such known systems 

Further, known systems of this type require complex hardware an 
^ownewlyconnec^devices^bemtegta^intoasyatem. 

B wi,, be understood that the above description is purely exempt The dock 
logi c ,eve.s he.d a, tbe differ, unconnected porta can be varied if maty combinanons 
Jvidedma.anapparen.etockpnUesurt.nnnsidoniageneratedoncennecnon. 
^ Insel^e — in te ,oop is no, easenUa,, to e eesertria, en-n ,s 

an odd number of invetsions. Ue precise locauon of the or eacb nwersmn . 

^o«t thp inverter 36 can be in either switch 3. 

daUlrnks, P ^ ^ m ^ 

be antomatically compensated for by a change in 
ooeraring apeeda of the switches 3 due to temperature changes. 

"should be underarood ma, me Cock ra,e for eacb condone hnkm* 

net work may be differ, and in p^Cice i, prob*.y wi« be a, .east *W 
^^ugbuaenrte^c.ockr^u^byme^heaSa^urec.ock^used^ 

•'"is:*-— r-^r: 

•. i. „„. ,«eimal and in some summons will no, be 
regarded as highly advanlageous rt is no, essential ano 

rlinLb^weertmeswi.hes^oadiacen.nodes. Where only a one-way 
^rp^-ex^ewhere^.one-wayn^-^^. 
rvendoJmemodofsertingandaynchrenismgc.ockra.eswiUhave.bensed. 
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An example of the clock, data and frame signals in one direction along a single 
communication link is shown in Figure 11. 

The use of bit-synchronous timing is preferred to allow the data rate between 
adjacent nodes to be as high as possible without losing bandwidth due to preambles for 
synchronisation. This is also simple to implement 

Messages may be partially pipelined if desired. If mid-message pipelining is to be 
used, the local switches 3 along the pipelined data route must cooperate so that they are all 
using the same clock rate along all of the communication links. This common clock speed 
will have to be the lowest along the data route. Accordingly, setting a common clock rate 
should be carried out by the local processing sections 4 of the client devices 2 requiring 
message pipelining instructing the necessary switches 3 to do this only when pipelined 
messages are to be sent, the locally set clock rates as described above being otherwise used. 

In any given network, one node will be the furthest upstream and one will be 
furthest downstream. The furthest upstream node is deemed to be the network master for 
position resolution purposes and allocation of logical or virtual circuit numbers. Being at the 
uppermost node, on startup or reset it will not have an incoming clock signal on its output 
(upstream) facing receiver. On start up or system reset all switches 3 send clock signals 
downstream and the presence or otherwise of a received clock signal from upstream is used 
to determine whether or not a node is a master. After clock signals have been received or not 
for a preset period, the fact that a switch 3 is at a master node or not will be indicated in a 
status register and then reset status will be de-asserted. 

After reset all switches 3 are configured with an assigned address of zero. The 
assigned circuit is then determined from the master node outwards by the switch 3 at the 
master node being logical circuit zero and sending a message downstream to node 1 giving 
the logical circuit number 1 . The switch 3 at node 1 captures that message and assigns itself 
the received circuit number, using the result as its own node address. The switch 3 at node 
1 then increments the received circuit number and sends it downstream to node 2. This 
process continues, assigning the virtual circuit numbers node by node. If necessary, a given 
node may be allocated more than one circuit number. These address allocation functions 
may be carried out by hardware or software in the switches 3 or by local processing in the 
client device 2. 
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simultaneously on the different downstream timing receiving sections and arbitrating which 
received message should be transmitted next. 

The use of separate transmitting sections to each communications link is not strictly 
essential, a single transmitting section could be used together with switching downstream of 
the transmitting section to select the destination node. However, the use of separate 
transmitting sections for each communication link is preferred because this allows the 
automatic clock rate setting technique and enhanced security techniques outlined above to 
be used fully. 

The network architecture described can also be used as an architecture within the 
individual client devices 2 to provide the local processing section 4. 

Although such an approach to device architecture is overly complex for a single 
processor device, in practice most devices will be multiprocessor devices which can benefit 
from this architectural approach. 

A typical multiprocessor and local processing section 4 is shown in Figure 12. 

The processing section 4 is formed by a plurality of processors 40, six processors 
40a to 40f in the example, linked together into a chain by a series of in/out buses or data 
transfer links 41a to 41 e, each of which links a pair of processors 40. 

Data is carried in and out of the processing section 4 by an in/out bus or link 42 
leading to other elements such as the local switch 3 and local input and output section 5. 
Although the connections 4 1 a to 4 1 e can be buses, such buses will only link two consecutive 
processors 40 in the chain and not all of the processors 40 as in a conventional bus-based 
multi-processor device. 

Separate video input and output buses 43a and 43b linking all of the processors 40 
are provided in order to prevent video devices from swamping the interprocessor connections 
41 with very large quantities of video data. 

The processing section 4 operates similarly to the linear network described above 
with the processor 40a being regarding as the highest upstream processor and controlling 
external access to and from the processing section 4. 

It will be understood that all data transfer to and from the downstream processors 
40 is potentially gated and controlled by the upstream processors 40, thus providing security . 
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a communications link 4 1 or a processor 40 communication between the remaining parts of 
the device can still be effected by routing messages around the loop in the direction avoiding 
the break. 

In the event of a suspected failure any processor 40 can test the integrity of the loop 
by attempting to send messages to itself in both directions around the loop and if one or both 
of these messages is blocked sending messages to the other processors 40 in turn until the 
failure point can be determined. 

Although contra rotating loops have been used in the past in FDDI (fibre distributed 
data interface) based systems they have never before been used in device level architectures. 
The use of a dual contra rotating loop imparts a level of system robustness not achievable 
with traditional parallel bus based architectures. 

Further, the communications bandwidth within the device is effectively increased 
since any source processor 40 can transmit data in both directions to the same destination 
processor 40. By appropriate location of the processors 40 around the loop any particular 
processor can be allowed to provide twice the bandwidth into the system that it can do using 
a linear arrangement with the hardware being otherwise identical. 

It might appear that because data is sent around the loop in both directions that some 
of the security advantages discussed above regarding the network architecture will be lost 
for the loop device architecture. However, this is not necessarily the case. The security 
advantages provided by the non-availability of messages at some nodes in the system can 
still be provided in the loop device architecture for processors which send messages in only 
one direction around the loop in normal operation. This would allow enhanced security to 
still be achieved when the device is operating normally and security would be comprised 
only when a failure forced the message sending direction to be altered. If the loop structure 
is used to increase bandwidth from a particular processor there will be a trade off between 
security and available bandwidth. 

A suitable processor structure for use within the device structures shown in Figures 
12 and 13 is shown in Figure 15. 

Analogously to the network architecture, in the device architecture each processor 
40 includes a switch element 43 as well as the actual application processor 44. Accordingly, 
a virtual circuit will pass through the switch 43 to a particular port on the processor 44. 
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The level of data security supplied within the devices can be enhanced similarly to 
the data security provided across the network by providing exclusive OR masks, or other 
encryption facilities, to allow the messages to pass between the processors 40 at different 
nodes of the device to be encrypted. 

Such encryption schemes are analogous to the network level encryption schemes 
described above and so will not be described in detail here. Such encryption can employ 
exclusive OR masks set under control of the applications processor 44 or set autonomously 
by an auxiliary security processor incorporated within the processor 40 and controlling the 
exclusive OR masks employed by the switch or switches 43 of the processor 40 in a similar 
manner to the auxiliary security processor described with regard to network security. 

Similarly to the network based auxiliary security processors, the auxiliary security 
processors forming part of the individual processors 40 within a device can also be controlled 
and provided with mask seeds by a smart card. 

The security advantages provided by this arrangement at device level are similar to 
those provided at network level. 

The above-described device architectures are purely linear chains of processors 40 
or loops of processors 40 and it is expected that these architectures would normally be the 
most convenient for real devices. However, alternative arrangements similar to those 
proposed for the network would be possible. 

The clock rate employed between separate processors of a single device and the 
message size to be employed can be set in a similar manner to the techniques described 
above for use in the network. 

The use of the above-described architectures for both a network as a whole and the 
individual devices within it is preferred because of the advantages provided as explained 
above. However, this is not essential and the described architecture is intended to be usable 
for networks regardless of the architecture used within the individual devices making the 
network and for devices regardless of the architecture of the network they are connected to 
or indeed whether they are connected to a network at all. 

In both the network architecture and the non-loop device architecture, it is possible 
to connect additional devices or processors further downstream without effecting the 
operation of the upstream parts of the network or device. This allows hot plugging of both 
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device even though this involves the elements at the extremes of the network or device 
having redundant components and capabilities. 

The use of asynchronous transfer mode (ATM) as a network transport protocol is 
regarded as particularly advantageous in terms of network performance. However, at present 
the necessary hardware to implement ATM at an acceptably low cost for a domestic network 
is not available. 

The data links between nodes in the network can be provided by mains carrier 
modem, category 5 twin twisted pairs, 75 Q coaxial cable, wireless or consumer infrared. 
This is a list of suitable examples and is not intended to be exhaustive. 

An alternative message format to that shown in Figure 9 A is shown in Figure 16. 

In this alternative message format, the message has a fixed size with a payload of 
32 bits only. Accordingly, there is no requirement for a data size code. The 6 bit source 
identifier is replaced by a 8 bit virtual circuit number used to identify the source. 

The message formats given are purely examples. As other alternatives, it would be 
possible to include message type and size in a single code if a variable message size was 
required rather than having separate message type and message size codes. 

The above described examples are surely exemplary and the person skilled in the 
art will realise that numerous changes and substitutions can be made within the scope of the 
invention which is defined by the appended claims. 
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the local element as their intended destination and the switch being arranged to pass 
messages so identified to the local element and to re-transmit messages not so 
identified received at the first receiving means from the second transmitting means 
and to re-transmit those received at the second receiving means from the first 
transmitting means without passing them to the local element. 

4. A switch as claimed in Claim 3, in which messages passed to the local element are 
passed in full. 

5. A switch as claimed in Claim 3, in which when a message is passed to the local 
element only pre-set parts of received messages are so passed. 

6. A switch as claimed in any one of Claims 3 to 5, in which re-transmitted messages 
are re-transmitted without any amendment. 

7. A switch as claimed in any one of Claims 3 to 6, in which the local element needs 
to send data and the switch further comprises a message generating means arranged 
to receive data from the local element, generate a message incorporating this data 
and data identifying the intended destination and provide the message to the 
appropriate one of the transmitting means to be sent along the appropriate 
communications link. 

8. A switch according to any one of Claims 3 to 7, in which the switch further 
comprises an acknowledgement generating means and an acknowledgement 
identifying means, so that when a message has been sent by the first or second 
transmitting means, no further message is sent by that transmitting means until the 
acknowledgement identifying means identifies an acknowledgement received by 
the respective one of the first or second receiving means and that when a message 
has been received by the first or second receiving means the acknowledgement 
generating means generates an acknowledgement and has it sent by the respective 
one of the first and second transmitting means. 
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14. A switch according to Claim 12 or Claim 13, in which the switch is linked to a 
smart card interface and operation of the security processor is enabled by placing 
a smart card in the interface. 

15. A switch according to Claim 14, in which the smart card provides data used by the 
security processor to control the encrypting and decrypting elements. 

16. A switch according to any one of Claims 10 to 15 in which the encrypting and 
decrypting elements apply exclusive OR masks to the messages to be transmitted 
or received respectively. 

17. A switch according to any one of Claims 3 to 16, in which the switch further 
comprises first clock pulse handling means to receive a first clock pulse along the 
first communication link and then send it back along the first communication link, 
second clock pulse handling means to receive a second clock pulse along the second 
communication link and then send it back along the second communication link, a 
clock pulse generator and an inverter so that when the switch is connected to a 
similar switch along a bi-directional communication link the switches will form a 
resonant loop and the switch being arranged to use the resonant frequency of the 
loop as the clock frequency for signals along the communication link. 

18. An electronic system comprising a plurality of switches according to Claim 17, 
linked by bidirectional communication links in which adjacent pairs of switches 
form a resonant loop along each communication link and use the resonant frequency 
of the loop as a clock frequency for sending signals along the communication link. 

19. An electronic system as claimed in Claim 1 8, in which the system is arranged in a 
hierarchical structure and each switch has a clock pulse generator arranged to send 
an initial clock pulse in a downstream direction and an inverter arranged to invert 
a clock pulse received from an upstream direction before sending it back. 
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the second communications section is not connected to another device, it holds a 
second clock state having an opposite polarity to the first as an input. 

28. A device as claimed in Claim 26, in which when the second communications 
section is not connected to another device, it holds a first clock state as an output 
and when the first communications section is not connected to another device, it 
holds a second clock state having an opposite polarity to the first as an output. 

29. A device according to any one of Claims 26 to 28 in which, when the first 
communications section is linked to the second communications section of another 
device or vice-versa through a bi-directional communications link, the linked 
communication sections form an oscillating loop and the device uses the oscillating 
signal as a clock signal for communication along the communications link. 

30. A device as claimed in Claim 29, in which, when the communication sections are 
first linked, the difference between their held input and output clock states causes 
the loop to begin oscillating. 



31. 



32. 



An electronic communication network comprising at least two devices connected 
by at least one bi-directional communications link in which an oscillating loop is 
formed by a first device receiving a clock transition along the communications link 
and sending a clock transition having the same polarity back along the 
communications link and a second device receiving a clock transition along the 
communications link and sending a clock transition having the opposite polarity 
back along the communications link, and the first and second devices use the clock 
transitions travelling around the loop to provide a clock signal to control data 
transfer along the communications link. 

A network as claimed in Claim 3 1 , in which the clock transitions travelling around 
the loop are used as said clock signal. 
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33 An electronic communication system comprising at least three devices connected 
by at least two bi-directional communication links in which signals between two 
devices along each communications link are independently encrypted. 



34. 



35. 



36. 



A system as claimed in Claim 33, in which signals in opposite directions between 
two devices along each communications link are independently encrypted. 

AsystemacxordingtoCl^ 
signals are differently encrypted. 

A systenr according to any one of Claims 33 «o 35, in »hich the signais are 
encrypt* and decrypted by the devices sending and receiving than respecnvely 
along each communications link. 
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